Insecure SMB 1 Protocol Device Warning Issued by Microsoft

In an attempt to warn IT and consumers, Microsoft has released a list of products that are using the flawed Server Message Block 1 (SMB 1).

The insecure and long-deprecrated SMB 1 protocol made headlines last month in connection with the infamous "WannaCry" ransomware outbreak. The malware, designed to lock up system files, purportedly used an SMB 1 flaw targeted by U.S. National Security Agency hacking code.

In response to the ransomware outbreak, Microsoft advised organizations to apply its "critical" March MS17-010 security update, but it also advised organizations to stop using SMB 1 as a general security practice.

A recent post by the Software Engineering Institute (SEI) of Carnegie Mellon University explained that the best protection against future ransomware attacks is to have a regular backup system in place. Organizations can also limit where code can execute, limit administrator account privileges and keep software patched. SEI also advised organizations to have an e-mail attachment scanning service in place to block ransomware, as well as a spam-blocking service to reduce the spam volume. They should also "completely block remote desktop protocol (RDP) and other remote management services" at the firewall.

Microsoft's SMB 1 List
Organizations likely will need to detect if their networks have SMB 1 sharing dependencies before eliminating the protocol. And it's turning out that plenty of networking products actually do use SMB 1, making the task of getting rid of it perhaps harder for organizations.

Ned Pyle, a principal program manager responsible for the SMB protocol at Microsoft, has started a list of SMB 1 use in vendor products. So far, the list includes brand names like Canon, Cisco, F5, IBM, McAfee, MYOB, NetApp, NetGear, QNAP, Sonos, Sophos, Synology, Trinti and VMware.

Pyle is asking the public to submit more names for this list if the vendor has confirmed the SMB 1 dependency in some way.

Surprisingly, Microsoft also used SMB 1 in Windows 10 and Windows Server 2016. However, Pyle pledged it'll get expunged with the release of "RS3."

"SMB1 has been deprecated for years and will be removed by default from many editions and SKUs of Windows 10 and Windows Server 2016 in the RS3 release," Pyle stated, in the announcement.

By RS3, Pyle likely means "Redstone 3," which is the purported internal Microsoft code name for the Windows 10 fall creators update, expected in September.

WannaCry malware signatures are detected by the Exchange Online Protection service for Office 365 users. E-mail and phishing attempts are potential attack vectors for WannaCry, but Microsoft's announcement indicated that "we are not seeing the campaign propagating via email."

The Office 365 Advanced Threat Protection service, which works with Exchange Online Protection, "should catch new variants of WannaCry," Microsoft indicated, adding that "to ensure optimal performance of EOP/ATP it is very important to check that EOP is properly configured."

Organizations can use the Office 365 Threat Intelligence service to check if e-mails associated with the WannaCry malware were delivered. Policies can be set using the Office 365 Advanced Security Management portal to block any accounts that uploaded files with the .WNCRY file extension.

New Security Tools
Microsoft also indicated this week that it is adding new security tools to its Office 356 protective services. On the reporting side, there's a new Threat Protection Status dashboard, accessible at this portal page. The dashboard pulls together information from Exchange Online Protection antimalware engines, as well as information from the Safe Attachments and Safe Links capabilities of the Office 365 Advanced Threat Protection service.

The Safe Links service is getting the ability to work with a customized list of URLs that should be blocked. It's also getting a "wildcard blocking" capability for specific "domains and handles" used in e-mails. The character limit for URLs also is getting extended.

The Office 365 Security and Compliance Center has a new centralized quarantine portal that reflects e-mail classifications performed by the Exchange Online Protection and Office 365 Advanced Threat Protection services.

Microsoft also announced this week that Organizations using Windows 10 devices with Microsoft's built-in Windows Defender Antivirus solution can now check the compliance of the antimalware software across their clients. To do that, they can use the Update Compliance preview tool in Windows Analytics, which is accessible in Microsoft's Operations Management Suite (OMS) offering. The use of OMS typically requires a paid subscription, although Microsoft claims that the Update Compliance preview is a free tool to use currently.

Lastly, there's a PowerShell script available for organizations looking for a quick way to count vulnerabilities in Microsoft's monthly quality update releases. The script is described in this blog post.